Attackers behind the Flame espionage malware that targeted computers in Iran used more than 80 different domain names to siphon computer-generated designs, PDF files, and e-mail from its victims, according to a new analysis from researchers who helped discover the threat.

The unknown authors of Flame shut down the sprawling command-and-control (C&C) infrastructure immediately after last Monday's disclosure that the highly sophisticated malware had remained undetected for at least two years on computers belonging to government-run organizations, private companies, and others. The 80 separate domain names were registered using a huge roster of fake identities, and some of the addresses were secured more than four years ago.

"The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008," Kaspersky Lab expert Alexander Gostev wrote in a blog post published Monday. "In general, each fake identity registered only 2-3 domains, but there are some rare cases when a fake identity registered up to 4 domains."

Names used to obtain the domains included Adrien Leroy, Arthur Vangen, George Wirtz, Gerard Caraty, Ivan Blix, and at least 15 others. They claimed to reside in a host of cities in Europe and elsewhere, in some cases at addresses that turned out to belong to hotels such as the Appart’Hotel Residence Dizerens in Geneva or, with a slight modification, the Apple Inn in Amsterdam. Other fake identities used addresses of shops, organizations, or doctor's offices. Because of the effectiveness and complexity of Flame and its targeting of Iran and other Middle Eastern computers, researchers have speculated it was sponsored by a wealthy nation-state.

Flame's C&C infrastructure relied on a roving set of servers that changed over time. The locations of what Gostev characterized as a "huge operation" included Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, and Switzerland. The blog post said researchers managed to capture traffic that infected machines sent to the command servers with the help of Web hosting provider GoDaddy and OpenDNS, a free service that provides domain name system lookups for individuals and organizations. Such "sinkholing" on C&C servers is a common practice when ongoing malware infections are discovered.

"Having seen the large variety of fake domains, we contacted GoDaddy and sought the redirection of all the malware domains to our sinkhole," Gostev wrote. "Additionally, the OpenDNS security team supported the redirection of malicious domains to our sinkhole in order to protect OpenDNS users."

Over the past four years, the Flame C&C infrastructure relied on at least 22 separate IP addresses. Servers that ran the channels appeared to be running the Ubuntu Linux distribution. They used the secure sockets layer protocol to encrypt information as it was uploaded. The servers also had the ability to encrypt exfiltrated data using the SSH protocol, most likely as a backup in the event SSL wasn't available for some reason.

Flame shares some similarities with Duqu, another piece of highly sophisticated espionage software that researchers suspect was also spawned with the resources of one or more governments. Like Flame, Duqu took a keen interest in AutoCAD drawings stored on infected systems. To limit the number of pilfered documents and avoid uploading data that was of no interest, Flame extracted a 1KB sample of PDFs, Excel documents, and word-processing documents. "The malware then compresses and uploads the sample text to a command-and-control domain where, presumably, the attackers would pick through the contents and instruct the malware to then grab only specific documents that interested them," Gostev explained.

In some respects, Flame was less discreet than Duqu. For example, Duqu cloaked the true identity of the attackers by using SSH port forwarding to hide the locations of remote servers that hosted malware scripts. Flame, by contrast, ran malicious scripts directly on the servers. "From this point of view, we can state that the Duqu attackers were a lot more careful about hiding their activities compared to the Flame operators," Gostev wrote.

Infected Flame machines that accessed C&C and control servers used the password "Lifestyle2" to authenticate themselves. The password was hardcoded into the malware, but could be changed as necessary.

Interesting stuff to be sure. I'm wondering why no one noticed the spikes in traffic that this would surely have caused.

RTFA wrote:

To limit the number of pilfered documents and avoid uploading data that was of no interest, Flame extracted a 1KB sample of PDFs, Excel documents, and word-processing documents. "The malware then compresses and uploads the sample text to a command-and-control domain where, presumably, the attackers would pick through the contents and instruct the malware to then grab only specific documents that interested them," Gostev explained.

I've heard a lot of grief on the forums about Kaspersky Labs. I remember when this first read about Flame a while back here on Ars and it sounded pretty devious, in a cool way at that. In listening to other news sources it seems that a lot of people are downplaying Kaspersky's hype for being just that, hype. This was also covered on NPR a couple days ago and they basically questioned whether these claims were overblown, which they rather made the case for. Being as that antivirus companys lost their heyday about a decade ago, it was argued that these claims might be hyped in order to still seem relevant and on the cutting edge of protection given that the market is pretty much full of antivirus vendors nowdays, some being rather good and free at the same time.

So if they find out who did it, will Iran declair war on them? thats the real question...

That's not much of a question. Assuming that it was Israel, the US or any NATO country, they have no reason to declare war. Iran has been waging successful proxy wars for well over a decade by arming the various terrorist groups that fight against us.

So if they find out who did it, will Iran declair war on them? thats the real question...

Stealing secrets is espionage, just like nations (even nominally friendly ones) have been doing to each other for millenia. I don't believe this is usually considered an act of war, though I don't know what international law has to say on the matter. Stuxnet is a greyer area, since it was actually used to destroy property.

Interesting stuff to be sure. I'm wondering why no one noticed the spikes in traffic that this would surely have caused.

Run it at night, or maybe while some updater process is also running? Hell, Windows has a built in "feature" that allows certain data transfers happen while the network is otherwise idle. It is used to make Windows update downloads less noticeable from a user standpoint.

"was sponsored by a wealthy nation-state.", "spawned with the resources of one or more governments".

Let's cut the crap, and say what we're all thinking. Flame was designed and built by the United States Government for the purpose of stealing information from Iranian government, businesses, and other middle-eastern targets.

It's like the fart in the elevator that nobody admits to, but we all know the fat guy with the taco bell bag, and the guilty look did it. We're just too polite to go making accusations that can't be proven with 100% reliability, so we'll never know for sure.

Makes me wish some other country or union would grow a pair and challenge the US for global dominance, but everyone's too busy dealing with their own problems to care right now.

Well, I'd go for the nation-state simply because of what it does, but to say only a wealthy nation-state can write sophisticated code is just ignorant.

My own consulting outfit, back in the day, could easily have done something like this - looks pretty simple to me. We never noticed that government programmers were even close to as good as we and many other private outfits were - this might have changed, but back then, no way - they were the dumbest kids on the block then.

No big traffic spike, they thought ahead and throttled the data xfers, as I read on another (security) blog. Remember, if you, an Ars reader, can think of that in a few seconds - so can the guys writing the code.

My outfit used to capture viruses all the time (never caught one as an infection) and look inside with DevStudio's reverse tools and some tools we wrote for that job. The change to pro code happened years ago. At first, they were pretty much all written in Borland C, used only a couple of clever tricks (push a system call address on the stack and "return" to it, stuff like that) and more than half still had the debug info in them, for crying out loud! So you could even get the source code, in effect.

Then after a few years of that, suddenly no such amateur thing - more like organised crime was paying competent (but not in morals) programmers to write better code. The tricks got a lot slicker, the byte count per functionality went way down...and we saw things that looked to us like a similar level of sophistication as described for this. None of them were so stupid as to waste bytes by including a frigging code interpreter, though - that's an interesting twist indeed, that has to be a pretty huge waste of bytes...so maybe yeah, it was the government after all - that's so dumb I can hardly believe it -

My own consulting outfit, back in the day, could easily have done something like this - looks pretty simple to me.

You had the know-how to create a virus that keeps undetected for 2+years while infiltrating millions of machines? So how many zero day exploits in current Windows versions did you find?

Such an attack is well thought out, with lots of technical knowledge and exploits several well hidden zero day exploits, stolen certificates, then the whole infrastructure that was in place. Certainly no amateurs that just want to get some credit card info could pull that off. Luckily for us (and the attackers) there's hardly a reason to be so sophisticated - why bother going the extra 10% which amounts to 100%+ more work when 90% will still work just as well.

And why "amount of bytes" would be THE definite measure for an exploit isn't clear to me. I'd go for how long it can stay undetected (extremely long), what level of access it has (full) and how easy it is to infect other targets (infected millions of machines). The interpreter seems like quite the clever idea to make life for heuristic tools harder. Yes smaller makes it easier to hide and faster to transmit, but in this day and age that doesn't seem that problematic.

killing_time wrote:

my thought on that is that they aren't trying to get new know-how, but to see at what state the country's capabilities are.

Yes that's the obvious conclusion, because nobody else would gain much by doing this.

Makes me wish some other country or union would grow a pair and challenge the US for global dominance, but everyone's too busy dealing with their own problems to care right now.

It's a bit of an aside, but didn't you notice that the US cannot feed or clothe itself, and while many rich companies are based there, little is actually made there? On top of that, how much international trade is performed in US dollars, and what happens if a few major players move to another currency?

"Global dominance" is a bit more complex than the US being acknowledged as the top dog. No country stands alone, and the US depends on others more than you might realise.

The capabilities of the virus don't seem so outlandish as to state that it takes a wealthy nation state to produce this code. Hell, some kid with a few stolen credit cards could have coded this up for all we know. The only indication that it was written by a Nation State is what it does. It's not there to commit a crime. It's not there for the lulz. It's there for espionage. The only people that would engage in such espionage are Nations and large companines.

Sure, I'd be surprised if it wasn't done by a country. I think Assuming it's the US is a silly assumption though. The US is far from the only country that cares about Iran. We just happen to be the most likely suspect. Be hilarious if it turns out it was just some kid in his parents basement though.

Quote:

It's a bit of an aside, but didn't you notice that the US cannot feed or clothe itself

Uh. I can't really argue with your rant, except for the feed ourselves part. The US can feed itself quite well. So well that we throw out great deals of locally produced food and some folks even get paid to NOT grow more food. As for the rest of your rant, you'll find that it applies to most countries.Any country that deals with a significant amount of foreign trade quickly ceases to be self sufficient.